Guest Editorial: Do DBAs Need a Code of Ethics?

  • Ewan Hampson (2/5/2009)


    Well said, Andy Warren.

    roger.plowman (2/5/2009)


    Everyone knows what ethical behavior is.

    If only.

    Ethics comes from an individual considering their moral position, and can be assisted but not defined by a "Code". It is about being aware of the wider context and the implications for other people of what you do, in addition to anything that laws, regulations and employers' terms say.

    Sorry to be blunt, but this is not rocket science. There are only two guiding principles.

    1. Do not lie.

    2. Do not steal.

    Even #1 can be subsumed into #2 (theft of truth). After that, it becomes a matter of determining who owns what. And while that can be tricky, the underlying principle never changes. Ever. For any reason.

    You are paid to safeguard the integrity and confidentiality of the data. Translated: If you violate your agreement you are stealing from your employer. Yes, deliberate intent is required, and due diligence covers issues like some bad guy making it past your best efforts.

    But anything else? Do not steal.

    Did I just create a written code of ethics in spite of myself? 🙂

  • FFalcon1961 (2/5/2009)


    Question is this ethics board going to be willing to stand up for a member that has been asked to do something unethical and they are terminated for not compiling?

    Sounds like developer ethics to me . . . not sure if that was a joke or not, on the one hand it's a very good point (if read as "complying"), on the other hand, it's funny as all get out.

    ---------------------------------------------------------
    How best to post your question[/url]
    How to post performance problems[/url]
    Tally Table:What it is and how it replaces a loop[/url]

    "stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."

  • As has been discussed by a few different posters, there are certain professional groups that require membership in a larger organization (i.e. Medical Personnel) that enforces ethical practices.

    I would argue that, in modern society, the only reason to have a written code of ethics is to enforce it. Every individual has a pretty good idea of right and wrong; they're going to make their own choices regardless of what's written. Having a well-defined code of ethics allows an oversight entity to point to it and say "this is why you're disbarred."

    Until and unless there is some overarching DBA professional organization that everyone belongs to (and that has power to enforce ethical policy) there is no point in creating a DBA code of ethics.

  • I agree with you completely. This will be a double edge sword. The problem I see with this a person of ethics will stay ethical. If I become a part of a group that support a code of ethics that I am to follow. What support does the Code of Ethics give me? If my employer interprets it one way and it is ok and my next manager comes back and uses the Code of Ethics set by the DBAs Code of Ethics and terminates me. What good is the Code.

    If someone doesn't have this already then a code isn't going to change things.

  • This sounds more like some narcissistic, self-important, "oh look at me, I'm ethical" monkey business - a complete waste of time serving no purpose and surely not being enforceable. What are we going to do? Send unethical DBAs to a prison on some island like say, Cuba?

    I agree with this. The writer of the piece I read sounded like they had disappeared up their own backside and started comparing themselves with a doctor of medicine. Yes a DBA could potentially do a lot of damage but so could a lot of much less qualified people, in much less 'important' jobs.

    As DBAs we make technical decisions, not ethical ones. There is actually a right and a wrong solution to each problem we face. Granted, we have to work around things from time to time but it's a case of 'how do I...' not 'should I...'

    If your manager asks you to break the law, then they're breaking the law,

    If you steal data, look at confidential information for no reason, edit information for your own purposes etc etc then you are breaking your conditions of employment and probably the law.

    If you find your self wondering if what you're doing is morally right or wrong then see your manager.

    Tom

    Just as a point, and I think the term 'ethical' has been taken to mean a number of things now, can anyone give me an example of a moral/ethical/code of conduct related dilema they've faced?

    I think all things to do with the management of a database will be covered by law or terms of employment.

  • I don't think ethics is that easy, and I'd rate myself pretty high on the ethic-meter. Don't lie/dont' steal are fine, but what about gray areas?

    - As mentioned, a SQL injection vulnerability that you know could expose privacy/credit card data? Do you quit? Call the FBI? How long do you give them to fix?

    - What if an employer wants you to provision a new SQL Server, but wait to pay for the SQL license when SQL 10/11 ships. Technically stealing, do you say no? Quit? Report them?

    - How about if your CIO asks for a spreadsheet of all customers with a credit line of more more than $25k (name, address, account #). Do you provide it? Ask him to state he's not going to mis-use it?

    - Or you discover that your offsite backup plan consists of the network guy taking the unecrypted tape home with him every night, he's a drunk, getting divorced, and has money problems - what is your role in heading off possible data loss?

    Maybe it does come down to don't lie/don't steal. I think the problem with very fixed rules is that they actually give us a way to avoid the gray areas, and that's where the pain often is.

    I'm just arguing my view, but it's a good discussion.

  • roger.plowman (2/5/2009)


    A written code of ethics is an admission of failure… Those who are ethical do not require a written code…

    I wholeheartedly agree! Codes of conduct are born out of abuse and/or failure of a particular system. Just look at the current financial mess the country is in. The only hope of curtailing this behavior is to hold people accountable for their actions (different from regulation), which usually means some sort of punishment. Most DBAs know what is at stake and what will happen if they conduct themselves incorrectly.

  • Doctors have a code of ethics yet know of them quit their job when insurance tells them they can't perform the surgery that saves the life of a patient. :w00t:

  • I will not belabor the points mentioned. For taking leadership on ethics my responses are:

    - Microsoft - NO, NO, a thousand times NO !!! (nor Oracle, nor Sybase or any other software vendor for that matter)

    - PASS - NO - it is too dedicated to SQL Server and Microsoft

    - SQL ServerCentral - no - even though the community has depth and breadth, it is still not diverse enough

    There already is a professional organization that crosses all platforms, vendors and boundaries that has been in existence since 1951 - that's 58 years. It is the Association of Information Technology Professionals - http://www.aitp.org/

    As for a statement of ethics, they have had one in force for quite a while. It is straight-forward and pretty encompassing of all of the issues mentioned.

    http://www.aitp.org/organization/about/ethics/ethics.jsp

    And a version suitable for printing:

    http://www.aitp.org/join/SCOH17CodeEthicsStdsCdt.pdf

    For something that has been around for so long the ethics espoused are quite eloquent.

    RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

  • As Andy said, ethics has a lot of gray areas. If you look at the American Medical Association's code of ethics, there are 200 opinions attached that relate to specific situations, and can change over the course of time in response to society.

    IMHO the best statements related to integrity are found at the American Institute of Certified Public Accountants, Code of Professional Conduct:

    http://www.aicpa.org/about/code/et_54.html

  • wrote:

    Lack of action on your manager's part isn't a lack of action on your part. And I imagine most managers would want this fixed fairly quickly. Don't quit, just do the best you can to fix the issue[/b]

    - What if an employer wants you to provision a new SQL Server, but wait to pay for the SQL license when SQL 10/11 ships. Technically stealing, do you say no? Quit? Report them?

    The DBA isn't (usually) in charge of licensing compliance. It's against the licence agreement and it's breaking the law to install it. Legal issue.

    - How about if your CIO asks for a spreadsheet of all customers with a credit line of more more than $25k (name, address, account #). Do you provide it? Ask him to state he's not going to mis-use it?

    Is it a DBA's business what data a company pulls from it's database? no. If he loses the file on a train it'll be his fault, not yours. The CIO more than anyone knows the value of that data.

    - Or you discover that your offsite backup plan consists of the network guy taking the unecrypted tape home with him every night, he's a drunk, getting divorced, and has money problems - what is your role in heading off possible data loss?

    As DBA, you make sure the data gets safely transported to an offsite location. Giving it to a drunk guy is not a good idea. Find another employee. Or better yet, DIY! and it should be encrypted, of course, but who makes it happen. If it's not you then approach the person who is in charge of it.

    I personally don't take responsibility without taking control. I would never point at someone and try to pass the blame for the same reason.

    If you're at a company where things aren't right, all you can do is your best to make them so. That's your moral obligation as a conscientious employee.

    Tom

  • Rudy, William, I will take a look at both links - good to see what others are doing and try to learn from that.

    And that's a really interesting point about PASS (or SSC or ...) being too small an umbrella. I see the challenge if you're in a job where you do Oracle/mySQL/SQL Server and having 3 different sets of ethics! At the same time, going back to the idea of the AMA opinions, maybe there is a place for some SQL Server specific guidance/opinions that layer on top of more broad reaching ones?

  • We all SHOULD have an imbedded code already, given to us by our parents. As we can see in today’s world even a well written code of ethics can and will be broken by those of us that don't have this “Thou shalt not steal” part already there. NOT stealing the data is what it’s all about for us DBA’s.

  • As one of the previous posters pointed out, there are many positions that have access to confidential data. A DBA position should not be singled out.

    I think a better way of ensuring ethics are not violated are by division of responsibilities, security procedures, and auditing.

    An example of division of responsibilities is that DBAs and Developers are different roles.

    An example of security is giving individuals the least amount of authority to do their job. Also, encryption of confidential data is a good security measure.

    An example of auditing is logging logins and activity of users.

    When ethics violations are encountered and documented, such as stealing, the employer most likely has a section in the company handbook that states how to proceed with such violations.

    Creating some kind of federal bureaucracy or “governing body” is unnecessary, because real ethics violations are already prosecutable by law.

    As far as any “grey areas”, as a senior DBA, I make recommendations to the company. They can either take my recommendations, come up with another solution, or ignore them. I have never been asked to deliberately do something wrong. However, if that situation ever presented itself, I would explain my position, and try to come up with an alternative. If no satisfactory alternative could be found, I would document our conversation in an email as an audit, and send it to them, I would hold my position, sleep well at night, and wait for the employer’s decision.

  • Formulating a set of ethical guidelines is a good thing. Yes, common sense needs to dictate basics, like "don't deliberately sabotage your employer because you're annoyed at your boss". But published standards are easier to comply to than "everybody knows that!" standards. That applies to ethics just as much as it does to coding.

    - Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
    Property of The Thread

    "Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

Viewing 15 posts - 16 through 30 (of 50 total)

You must be logged in to reply to this topic. Login to reply